Menu
▾
▴
Re: [SSHGuard-users] Log human-readable service IDs instead of numbers?
|
From: Chris J. <joh...@as...> - 2018-11-03 00:33:09
|
Please take this "discussion" to a slack channel or something. I (and probably many others on this list), do not find this a helpful discourse at all. Chris On Fri, Nov 2, 2018 at 5:28 PM Ryan Root <rr...@ro...> wrote: > Whoever the coward "shadowbq" is, > > I have used sshguard and may use it in the future. I have a right to > investigate the integrity and technical competence of people making > decisions about it's future. If you don't like this list you get lost. > > Ryan > > > On 11/2/2018 5:26 PM, Ryan Root wrote: > > no > > > > On 11/2/2018 5:25 PM, Shadowbq wrote: > >> Ryan > >> > >> You are now trolling. Please be more respectful. > >> > >> - shadowbq > >> > >>> On Nov 2, 2018, at 8:10 PM, Ryan Root <rr...@ro...> > wrote: > >>> > >>> Are you two some of the actual programmers on this project? Not only > do > >>> you not know what the hell you are talking about when you get caught in > >>> lie you make up a bunch of crap as if you are smarter than someone who > >>> caught you. > >>> > >>>> On 11/2/2018 5:07 PM, Ryan Root wrote: > >>>> Bullshit! > >>>> > >>>>> On 11/2/2018 4:55 PM, Christopher Engelhard wrote: > >>>>> Hi all, > >>>>> what Kevin has described is exactly what I meant. And no, that does > not > >>>>> involve redefining 'ssh 22/tcp' as 'craftbeer' for the fun of it. > >>>>> Maybe me referencing "services" is what caused the confusion. > 'Programs' > >>>>> might have been clearer - sshguard just happens to currently name > what > >>>>> it matches a 'service'. > >>>>> > >>>>> So, to hopefully fully clarify what I'm proposing: > >>>>> 1) sshguard does not match against services like IMAP/POP3/FTP etc., > but > >>>>> against the log output of *programs* like Pure-FTPd or Postfix. > >>>>> 2) currently, it assigns each program whose log output it > understands a > >>>>> number internally and reports this number in the logs. This is not > very > >>>>> helpful to the user, who will probably not know that 'Attack from > <IP> > >>>>> on service 320' refers to the Pure-FTPd FTP daemon. > >>>>> 3) I propose to instead log the actual name of the program as > defined by > >>>>> upstream (I'm all in favour of following standards) instead, i.e. > >>>>> 'Attack from <IP> on Pure-FTPd'. If internally service ID numbers are > >>>>> still used, one could log these as well, e.g. '<name> (<number>') > >>>>> > >>>>> If I understand you, Ryan, correctly, you're proposing logging > standard > >>>>> internet service names instead, e.g. mapping internal matches for > >>>>> Dovecot, Courier, Exim to 'Attack on IMAP'/'... POP' etc., correct? > >>>>> > >>>>> That is not without merit. However, this > >>>>> - would mean that the log no longer really represents what SSHGuard > is > >>>>> actually doing, which is bad for tracking down errors when something > >>>>> doesn't work as expected > >>>>> - might not be possible in cases where one program handles multiple > >>>>> standard services (e.g. IMAP/POP/SMTP submission for Dovecot), > depending > >>>>> on how exactly the given program decides to format its logs > >>>>> - would mean inconsistency or a significant loss of information in > the > >>>>> special case of the various attacks of webservices - these would all > be > >>>>> reported as "attack on www", as I don't think there is a RFC for the > >>>>> Django login page > >>>>> > >>>>> It might be a good idea to include the service in the message, e.g. > >>>>> 'Attack on WWW (Wordpress)' or 'Attack on IMAP/POP (Dovecot)', > though. > >>>>> > >>>>> > >>>>> I hope that clears things up. > >>>>> > >>>>> Best, > >>>>> Christopher > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> sshguard-users mailing list > >>>>> ssh...@li... > >>>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users > >>>>> > >>>> _______________________________________________ > >>>> sshguard-users mailing list > >>>> ssh...@li... > >>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users > >>>> > >>> > >>> _______________________________________________ > >>> sshguard-users mailing list > >>> ssh...@li... > >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > > > > > > _______________________________________________ > > sshguard-users mailing list > > ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
